Endpoint.Port does not exist for Security Group of RDS Proxy


Hi there,

we are having issues with deploying our stack. It worked until Friday, Feb 09, and then out of a sudden it stopped working with the below error saying that the security group cannot access an attribute.

AWS::EC2::SecurityGroupIngress | .../.../SecurityGroup/from DatabaseSecurityGroupXXX:{IndirectPort} (DatabaseSecurityGroupfromDatabaseSecurityGroupYYYYIndirectPortZZZ) Attribute 'Endpoint.Port' does not exist

The application we want to deploy consists of

  • an RDS instance
  • a proxy for the RDS instance
  • a Fargate Service/EC2 cluster with an application accessing that RDS instances
  • a memory cache for our application
  • a load balancer in front of the Fargate service
  • a VPC with a private subnetwork (contains RDS instance, proxy, and memory cache) , private with egress (contains the Fargate service), and a public network (contains the LB)
  • a security group to which both proxy and RDS instance belong

We assumed there would be some kind of race condition causing one service being created too late, so we tried out to specifically set the deploy order

  • RDS instance --> proxy --> Fargate service and
  • RDS instance --> IngressRule --> TargetGroup --> Proxy --> Fargate service
  • we also tried to give the proxy its own security group

We are using AWS CDK for deployment, so the CFN template is generated. This is how the snippet with the security group currently looks like:

    Type: AWS::EC2::SecurityGroupIngress
      Description: Allow connections to the database Instance from the Proxy
          - DatabaseInstanceAAAA
          - Endpoint.Port
          - DatabaseSecurityGroupYYYY
          - GroupId
      IpProtocol: tcp
          - DatabaseSecurityGroupYYYY
          - GroupId
          - DatabaseInstanceAAAA
          - Endpoint.Port
      aws:cdk:path: path/to/Database/SecurityGroup/from DatabaseSecurityGroupYYYY:{IndirectPort}

Nothing helped. Now we are out of ideas... Is there someone who once observed a similar behavior or has a clue what we miss here? Or did AWS deploy some kind of update?



1 réponse

Hi Cindy,

Given the error message, it seems to be just a syntax error in your CFN template. Can you update your question with just the fragment where you refer to Endpoint.Port ?

You may either have to use CFN GettAtt intrinsic function or $notation depending on your exact context




profile pictureAWS
répondu il y a 9 jours
  • Hi Didier,

    we are using AWS CDK for deployment, so the CFN template is generated. Nevertheless, I updated the question with the corresponding snippet. Best, Cindy

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions